• advance-fee fraud

• application filtering

• application proxy

• blacklist

• cloud computing

• delivery protocols

• email virus

• formatting standards

• mailbox protocols

• open relay

• packet filtering

• phishing

• protocol standards

• screened subnet

• session filtering

• spam

• spam score

• stateful packet filter

• tunneling

• whitelist

• AICPA—American Institute of Certified Public Accountants

• DMZ—demilitarized zone

• ESMTP—extended SMTP

• FTP—file transfer protocol

• HTML—Hypertext Markup Language

• HTTP—Hypertext Transfer Protocol

• IDS—intrusion detection system

• IMAP—Internet Message Access Protocol

• MAPI—Message API

• MIME—Multipurpose Internet Message Extensions

• MTA—message transfer agent

• MX—mail exchange

• POP—point of presence

• POP3—Post Office Protocol, version 3

• RFC—Request for Comments

• RTP—Real-time Transport Protocol

• SLA—service-level agreement

• SMTP—Simple Mail Transfer Protocol

• SOC—Service and Organization Control

• VoIP—voice over IP

1. R1.     Describe the structure of an email message. Identify typical header fields. How does the format mark the end of a message’s regular headers?

2. R2.     Explain the purpose and use of MIME in an email message.

3. R3.     Describe a typical strategy for formatting an email message with text features not found in a plaintext file.

4. R4.     Explain the role of mailbox protocols.

5. R5.     Describe how all three types of network switching (message, circuit, and packet) are used in the email system.

6. R6.     Explain how to trace the MTAs through which an email message traveled.

7. R7.     Why is it easy to forge the “From:” header in an email message? Describe how we might spot a forged “From:” header.

8. R8.     Explain the relationship between spam and various types of financial fraud.

9. R9.     Describe how a phishing attack works. Explain the role of the spam email, domain name, and website in the phishing attack.

10. R10.   Explain how email viruses propagate. Explain how email virus hoaxes propagate.

11. R11.   Describe common techniques for identifying and blocking spam.

12. R12.   Identify and describe the three filtering mechanisms used by enterprise firewalls.

13. R13.   Describe the format and contents of rules used by a typical enterprise firewall.

14. R14.   Identify and describe the four basic techniques for arranging an enterprise’s internet point of presence.

15. R15.   Describe two basic techniques that might allow an attacker to bypass a firewall.

Note: For some problems, your instructor will provide a Wireshark packet capture file that shows a computer starting up and opening a connection to a web page. You will use that packet capture file in exercises marked “Wireshark.”

1. E1.     (Wireshark.) Locate a series of packets that retrieve an email message from a mailbox.

   1. What frame numbers perform the three-way handshake to open the connection?

   2. What mailbox protocol does the mail program use?

   3. What is the host name and/or IP address of the email server?

   4. Is there a password or other authentication measure used? If so, identify the frame number—or numbers—and describe what happens.

   5. Identify the frame number of the first packet that retrieves an email message.

2. E2.     Retrieve the header from an email message. Highlight the host identifiers (domain names and/or IP addresses) of the MTAs that carried the message.

3. E3.     Find a partner in the class. Construct an email whose “From:” line claims that the email comes from someone else. Email it to your partner; your partner also should construct an email with an inaccurate “From:” line and email it to you. Retrieve the header from that email message. Use the headers to determine the actual source of the email. Indicate the differences between the “From:” line and the header information about the email’s delivery.

4. E4.     The Amalgamated Widget site began with a single firewall configuration, using firewall rules as shown in Table 14.4. Then Amalgamated updated the arrangement to use a dual-firewall arrangement like the one shown in Figure 14.16. All servers now reside on the DMZ, with IP addresses in the 30.40.80.x range. Rewrite the firewall rule set to work with the dual-firewall arrangement. Create two sets of rules: one for each firewall. Be sure to block all internet-to-inside-LAN connections, while still allowing access to appropriate Amalgamated servers. Users on the internet and on the internal LAN should see no difference in the updated configuration.

5. E5.     Does your organization have an internet acceptable-use policy? Locate and review the policy. Summarize its main points.

6. E6.     Does your organization have an email acceptable-use policy? Locate and review the policy. Summarize its main points.

7. E7.     Firewall A is an enterprise firewall with session filtering as described in Section 14.4.2. Firewall B has no features except network address translation and packet filtering.

   1. Can both firewalls block inbound connections? Why or why not?

   2. Can both firewalls block outbound connections? Why or why not?

   3. Can both firewalls allow inbound connections? Why or why not?

   4. Can both firewalls allow outbound connections? Why or why not?